IoT and Security Standards and Best Practices

Topics covered in this chapter include

• Today’s Standard Is No Standard

• Defining Standards

• The Challenge with Standardization

• IoT Standards and Guidance Landscape

• Standards for NFV, SDN, and Data Modeling for Services

• Communication Protocols for IoT

• Specific Security Standards and Guidelines

Today’s Standard Is No Standard

IoT can be complex and quite broad in what it attempts to address and deliver. IoT can also look and feel very different between each implementation or use case. Yet consistently, for IoT to deliver on the promised business value through connecting things and leveraging produced data for business insight, it must enable devices, networks, and applications to seamlessly work and interoperate together to produce “smart” outcomes. It must also do this in a secure way. If we are unable to deliver on this promise, then we might as well revert back to proprietary or single-vendor solutions and give up on the potential value IoT brings. The question is, will this ever happen? And will we see a time when only a few open IoT standards exist to easily enable the implementation of solutions in a consistent, secure, and manageable way?

In 2015, a McKinsey and Company report concluded that incompatibility is the number one problem facing IoT growth. The authors argued that interoperability among IoT systems is critical. Of the total potential economic value IoT enables, interoperability is required for 40 percent on average and for nearly 60 percent in some settings. With the estimated value of IoT reaching between $4 trillion and $11 trillion in revenue by 2025, the opportunity is huge. McKinsey and Company concluded, “The true potential of the market will be determined by the ability of policymakers and businesses to drive technology and innovation that is interoperable, secure, protective of privacy and property rights, with established business models that better facilitate and enable data sharing.” Clearly, to realize the benefit and value IoT can create, interoperability and standards are a must. This includes standards for interoperability and for securing the IoT.

As outlined in Chapter 1, “Evolution of the Internet of Things (IoT),” IoT has existed for many years. Various forms of standardization now being leveraged for IoT also have existed for years. Remember, we are using IoT here as an umbrella term that also includes industrial IoT and market- or sector-specific initiatives. Clearly, there are differences in terms of use cases and requirements; however, from a technology perspective, there are also many similarities. Even before the term IoT was widely adopted, elements of IoT, such as standardized communication protocols, were being explored. Standards for IoT started to really grow around 2013, with several maturing enough through 2014 to offer limited certification programs. Some of these earlier standards have even started to come to fruition and deliver against use cases. We have also seen some early harmonization of standards efforts for IoT. One example is the Open Connectivity Foundation (OCF), formed when the AllSeen Alliance and the OCF came together under the OCF umbrella, with the aim of providing the interoperability element of an IoT solution at all levels, including silicon, software, platform, and finished goods. The OCF message is clear and accurate: Interoperability standards are the starting point, but standards must progress to include security as a foundation and must address requirements for consumers, business, and industry to deliver value.

The reality, though, is that this is a nice success story in a sea of disparity and competing standards. Despite industry analysts cautiously predicting that 2017 would be the year when standards started to really align, this was not the case. The only agreed-upon conclusion is that we are still a long way from a universal IoT standard—or even two or three IoT standards. Today’s perspective from both analysts and researchers is that this disparity is likely to continue over the next few years at the very least.

So why is alignment difficult? After all, IoT is now accepted as a phenomenon, and consumers, vendors, businesses, and industries want it to succeed and provide the value it promises. If only it were that simple. In practice, a wealth of considerations have an impact on the creation and shaping of standards for IoT:

• There is still no single, agreed-upon definition of IoT. Without a universally accepted definition, how do you standardize for it?

• Many different forces continue to shape the IoT landscape, and these forces themselves are evolving. These forces can be broadly grouped into market and social trends, business digitization and transformation, the evolving workforce, and next-generation mobility for people and devices.

• As we discussed in Chapter 3, “IoT Security Fundamentals,” we need to standardize many different areas of IoT. An IoT system might contain communications, management, architecture, data normalization, services, security, hardware, applications, analytics, and so on. Even if one part were standardized, we might encounter interoperability issues with the other parts. Defining what and how things should be standardized is another challenge with no current answer.

• Different verticals and industries often have their own requirements and perspectives, thus driving different standards based on their needs. This could mean differences such as IT and OT standards within the same organization, or specific industry vertical initiatives such as smart cities, digital manufacturing, or smart energy that have different regulations or guiding principles.

• New use cases continue to arise, often driven by the advent of new technology. How can we constantly ensure that standards apply? Creating security by design is difficult if the use case is ahead of technology and security for that requirement. New use cases often leverage proprietary measures with the aim of them becoming standardized at some stage, but this usually results in limited security response capabilities (and even more standardization efforts).

• New technologies and technology architectures are still being developed. If we consider advancements in areas such as NFV, SDN, cloud, fog, software-defined automation (SDA), and autonomic networking, and couple this with new technology areas such as deterministic networking, NB-IoT and LoRa in the RF space, and 5G, and then throw in aspects of Big Data, analytics, machine learning (ML), and AI, we can see that the potential arena is huge. The Gartner Hype Cycle for the Internet of Things (2016) in Figure 4-1 highlights this landscape and shows the emergence of IoT areas; all of these need to be secured and, if possible, standardized.

Figure 4-1 The Gartner Hype Cycle for the Internet of Things (2016)

• Not all IoT solutions will be deployed in greenfield environments. In fact, a good percentage of environments exist today and are evolving. This means that legacy and proprietary technologies need to be integrated, further muddying the standardization opportunity.

• IoT is more complex than either IT or OT on their own. This might seem pretty obvious because often a combination of IT and operational technologies and systems is needed to deliver against a use case. However, IoT is often approached in the same way organizations address new technology as part of their core IT or OT business. By its very nature, IoT usually generates more data, is more geographically dispersed, contains new devices, involves new technologies, and produces a mixed IT/OT deployment environment.

• IPv6 is an enabler for IoT. IoT6.eu believes that many arguments and features (including scalability, a solution to the NAT barrier problem, multi-stakeholder support, and features such as multicast, anycast, mobility support, autoconfiguration, and address scope) demonstrate that it will be a key communication enabler for IoT in the future. IPv6 also supports tiny operating systems, provides increased hardware support, and supplies new protocols focused on interoperability among different layers of the IoT stack.

• Legislation and regulations are starting to arise. Early examples include NERC-CIP, for power utilities in North America, and ENISA, which focuses on delivering a governance framework to coordinate cybersecurity standardization within Europe.

• A major challenge is that standards groups, alliances, and consortia often consist of large vendors who are unlikely to want to give up their market share. We are starting to see potential shifts here, with customers demanding interoperable efforts. One example is the Open Group Open Process Automation standard, driven by Exxon Mobil requirements for its next-generation processing environments.

• The speed of standards development is usually slow. This contrasts with development within the communications industry, where technology moves at pace to address customer business needs. This pace can result in proprietary efforts because of business demand, not necessarily vendor choice.

• Security itself is not a simple phenomenon. It must be addressed across the board and built in from scratch, not just piecemeal. Security can often be a driver for change, but usually it is playing catchup to try to secure a lack of interoperability.

As a result, we are still waiting for the IoT market to develop an approach that would allow for a fully end-to-end, consistent security strategy. We also need to realize that many standards, guidelines, and consortia have existed before IoT (technology has been around for some time) and must still adapt to IoT. These other standards should not necessarily be discarded; they have already shown value.

Looking at these challenges, IoT remains something of a puzzle. The use cases and business scenarios require interoperability and simplification of technology to work, with enabling technologies rationalized around robust and secure standards that also include legacy environments. However, these use cases and business scenarios are still evolving, with new endpoints and technologies being frequently introduced into a landscape without appropriate standardization. This makes the idea of standards an even more complex and challenging task. We will look at this more closely in this chapter as we explore the following topics:

• How standards are defined

• Why we need standards

• An overview of the IoT standards landscape

• Standards for NFV and SDN

• Security standards for IoT and NFV/SDN

The aim of the chapter is not to detail or recommend standards and guidelines, but to raise awareness of what should be considered when planning to secure an IoT system. We also highlight some of the more robust standards and best practices today that can help.